My blog about Active Directory and some more ……. MVP for Directory Services in the years 2008 2009 2010 2011 2012 2013 2014

Time configuration in a Windows Domain

In a domain one of the most important settings is the time. It has to be as close as possible for all domain machines, which is realized with the setup of the hierarchy how the domain time is prepared.

One important information to have is, that the Windows Time Service is NOT built to be a high accuracy NTP solution going down to 1-2 seconds. See High Accuracy W32time Requirements for details. If you have the need for high accurate time, you have to use a “Stratum One” device, which is capable of this. The support boundaries are listed here.

Also important to know is, that Domain Controllers use with NTP the UTC (Coordinated Universal Time), as this is the universal standard for current time. UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings. You will not realize the UTC time itself, as the time zone information which is stored in the computer’s registry, is added to the system time just before it is displayed to the user.

One Domain Controller, the DC with the PDC Emulator FSMO (Flexible Single Master Operations) role, is the time master in the domain. It uses it’s own BIOS time but should be changed to another time source like a NTP hardware device, routers, layer3 switches or external time servers, that are able to act as a time provider.

All other Domain Controllers synchronize with this machine and all domain member servers and domain workstations synchronize with one available DC. Therefore it is needed to open the UDP port 123 for NTP on all machines. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running.In the default configuration, the Net Logon service looks for a Domain Controller that can authenticate and synchronize time with the client. When a Domain Controller is found, the client sends a request for time and waits for a reply from the Domain Controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and round-trip delay between the two computers.

The correct time is needed from Kerberos V5 authentication to prevent “replay attacks,” Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the Domain Controller need to be in sync as much as possible. The default maximum time tolerance is 5 minutes and defined with a Group Policy setting and should not be changed.

If you have the need for changing the default tolerance, you have to choose the following GPO setting:

Please set for PEERS the time source as listed above, either with it’s ip address or DNS name. If more then one is needed separate them with a space in between and don’t forget the quotes: “time.domain.com time1.domain.com”

– to configure a domain computer for automatic domain time synchronization, run:

w32tm /config /syncfromflags:domhier /update

After that you have to run:
net stop w32time
net start w32time

——————————————————————–

– to reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run:

w32tm /config /syncfromflags:domhier /reliable:no /update

After that you have to run:
net stop w32time
net start w32time

——————————————————————–

If you have to reconfigure a Windows 2000 Server Domain Controller, the steps are different after transferring/seizing the PDC Emulator role to another Domain Controller:

– you have to modify the “Type” value to “Nt5Ds” without the quotes under this registry key:

HKLM\ SYSTEM\ CurrentControlSet\ Services\ W32Time\ Parameters\

——————————————————————–

If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions. Then type in the following commands:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

——————————————————————–

To prevent large time jumps on DCs because of hardware errors or broken CMOS battery to the past or the future m0re then 48 hours you should implement some registry changes on Windows Server 2003 and Windows Server 2008 DCs. MaxPosPhaseCorrection and MaxNegPhaseCorrection with values of that become important here. On newer OS versions this is already implemented. More details about the chosen 48 hours and how to configure it correct can be read in this article.

If you really still run Window 2000 Server SP4 Domain Controllers, hopefully not, then the following registry change should be made to avoid the time jump. Here the MaxAllowedClockErrInSecs has to be set in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters as described in this article.

For more detailed other configuration settings you have to use the registry, which isn’t recommended by Microsoft without special needs, you should always test it before applying. See “Windows Time Service Registry Entries” in this article.